Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

The audit team

This section includes an excerpt from the orientation guide to documentation of compliance pursuant to Section 8a (3) of the BSI-Act.

Tasks

An audit team of the auditing body implements the audit according to a specified audit process and draws up an audit report documenting the audit results.

This audit can be performed as follows:

  • as an individual audit of an appropriate (internal or external) auditing body
  • as an additional audit, e.g. within the scope of
  • an internal ISMS audit by internal, independent IS auditors (first-party audit)
  • an audit performed by qualified public auditors
  • an ISO/IEC 27001 certification, i.e. a certification, monitoring or re-certification audit (native or on the basis of IT-Grundschutz) by auditors (third-party audit)

Competence and suitability

To enable the auditors commissioned by the KRITIS operator to perform the appropriate audits and thereby provide the appropriate documentation of compliance to comply with the legal requirements, they must be competent in the following fields:

Additional audit process competence for Section 8a of the BSI-Act

  • Audit competence
  • IT security competence and information security competence
  • Industry competence

An auditor does not have to have all these competences individually; the appropriate composition of an audit team covering all areas of competence is sufficient. If the auditors themselves do not possess the required competence, a technical expert with the appropriate knowledge can also be included in the audit team. Particularly with regard to industry competence, it can be helpful to call in different experts for different areas.

Employees of the KRITIS operator or its service provider entrusted with the operation or IT security of the system to be inspected are not eligible as members of the inspection team. Expert knowledge from this group of people can be collected by the audit team in the course of an interview. However, participation as part of the audit team and thus in the assessment of the facts established during the audit must be excluded.

Similar topics

Back to Information for auditors